HBSD+OPNsense: Set hardening.pax.disallow_map32bit.status=1 by default

LuaJIT creates 32-bit memory maps in a 64-bit execution environment, which is disabled by default in HardenedBSD. We never ported the MAP_32BIT disallow logic over from HardenedBSD to OPNsense prior to 18.1. The merge of HardenedBSD's ASLR implementation for 18.1 also brought in the new logic. Instead of removing disallow_map32bit, simply set it to 1 by default. This will allow those who don't use LuaJIT applications to set it to 2 in /boot/loader.conf.local. Note that this commit is specific to OPNsense. OPNsense ships without the PAX_SYSCTLS kernel option, thus it's impossible to toggle via sysctl.conf(5) and must be set via loader.conf.local. Signed-off-by: Shawn Webb <shawn@opnsense.org> github-issue: opnsense/plugins#466
2026-06-09 08:43:19 -04:00 · 2018-01-12 02:31:22 -05:00 · 2018-01-12 02:31:22 -05:00 · 5a1bbae356
commit 5a1bbae356
parent 5f9b4916ee
1 changed files with 0 additions and 4 deletions
--- a/sys/hardenedbsd/hbsd_pax_aslr.c
+++ b/sys/hardenedbsd/hbsd_pax_aslr.c
@ -200,12 +200,8 @@ static int pax_aslr_exec_len = PAX_ASLR_DELTA_EXEC_DEF_LEN;
 static int pax_aslr_vdso_len = PAX_ASLR_DELTA_VDSO_DEF_LEN;
 #ifdef MAP_32BIT
 static int pax_aslr_map32bit_len = PAX_ASLR_DELTA_MAP32BIT_DEF_LEN;
-#ifdef PAX_HARDENING
-static int pax_disallow_map32bit_status_global = PAX_FEATURE_OPTOUT;
-#else
 static int pax_disallow_map32bit_status_global = PAX_FEATURE_OPTIN;
 #endif
-#endif

 #ifdef COMPAT_FREEBSD32
 static int pax_aslr_compat_status = PAX_FEATURE_OPTOUT;